Microsoft's monthly Patch Tuesday security updates are out, and for August 2018, the Redmond-based OS maker has fixed 60 security flaws, including two zero-days under active attacks.

The two zero-days are CVE-2018-8414 and CVE-2018-8373.

The SettingContent-ms debacle

Microsoft describes CVE-2018-8414 as a vulnerability in the Windows Shell, but in reality, this refers to the use of SettingContent-ms files —aka Windows 10 control panel shortcuts— for malware distribution.

Bleeping Computer previously reported on this topic in June when a SpecterOps researcher showed how hackers could abuse these types of files to eecute malicious code on users' PCs.

With today's updates, Microsoft has taken Windows 10 defenses a step further by ensuring that the Windows Shell properly validates file paths when executing SettingContent-ms files, preventing the original trick detailed by the SpecterOps researcher from working.

The IE zero-day

The second zero-day fixed this month is CVE-2018-8373, which Microsoft describes as "a remote code execution vulnerability [that] exists in the way that the scripting engine handles objects in memory in Internet Explorer."

Exploiting this flaw allows an attacker to run malicious code with the user's privilege. If the user is using an admin account, as most users tend to do on Windows, then the malicious code can wreak some serious havoc.

The zero-day can be exploited via web-based attacks if a user is accessing a malicious website via Internet Explorer, but also via email spam if a user opens documents in applications that embed the IE rendering engine.

Microsoft said details about this vulnerability became public and the company also recorded attacks using this flaw before today's updates. Bleeping Computer was unable to find any details about past campaigns. Microsoft credited security researcher Elliot Cao for discovering CVE-2018-8373.

Security advisories

On top of this, the Microsoft August 2018 Patch Tuesday also includes three security advisories that include patches for non-Windows security issues that the OS maker deemed critical enough to embed within its regular OS updates.

The first is ADV180018, which is a security advisory containing updates for the L1TF/Foreshadow vulnerability that affects Intel CPUs. More detailed info on this is available in a separate Bleeping Computer article.

The second is ADV180020. This security advisory includes this month's Adobe Flash Player fixes, detailed in a separate Bleeping Computer article here.

The third is ADV180021, also known as the "Microsoft Office Defense in Depth Update," which, obviously, contains security updates for Microsoft Office vulnerabilities.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you're not interested in all security updates and you'd like to filter updates per product, you can use Microsoft's official Security Update Guide, available here.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.